MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16956685e8f153db05d1eda237f9fde5ae23cecc8de57f891be024af9af05626. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16956685e8f153db05d1eda237f9fde5ae23cecc8de57f891be024af9af05626
SHA3-384 hash: 24b500cad9ad4077d32f4299f8212c6056a0518753011a2aa2957ef369efccbf1d4d3a1ee577bd6ebf1dedc436e969e1
SHA1 hash: bf0733aeadf7b2ce28093212dbdfb32220183f5a
MD5 hash: cb5fbc9ecfc211e857c8ce2f5ac1547c
humanhash: washington-fourteen-bakerloo-jig
File name:cb5fbc9ecfc211e857c8ce2f5ac1547c
Download: download sample
Signature Formbook
Create hunting rule
File size:462'420 bytes
First seen:2022-02-15 20:57:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:7w/H1K7QD/UJKdEEaPIfk6ee4rSjlO2lG5IjegjWJX83X2G:lETOK+PPIfk84r4regjWJs3X2G
Threatray 13'332 similar samples on MalwareBazaar
TLSH T184A4793171B8A8AEF38C963FFECDD16C5BA7BD358BD8060676667A5A2430051CF84346
File icon (PE):PE icon
dhash icon 30b2b2716968e896 (1 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241745/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/620c13e6ac8ad0468b43cfd3/reports/25ef8613-7469-45c0-8acb-b0a491bc4af7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c08ca36-eb52-450a-b25f-5c16308d63d0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940414
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 572888 Sample: 3VDm4JThP4 Startdate: 15/02/2022 Architecture: WINDOWS Score: 100 34 www.airpodspromocion.online 2->34 36 airpodspromocion.online 2->36 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 5 other signatures 2->58 12 3VDm4JThP4.exe 19 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\yoywghryww.exe, PE32 12->32 dropped 15 yoywghryww.exe 12->15         started        process6 signatures7 70 Multi AV Scanner detection for dropped file 15->70 72 Tries to detect virtualization through RDTSC time measurements 15->72 18 yoywghryww.exe 15->18         started        process8 signatures9 44 Modifies the context of a thread in another process (thread injection) 18->44 46 Maps a DLL or memory area into another process 18->46 48 Sample uses process hollowing technique 18->48 50 Queues an APC in another process (thread injection) 18->50 21 explorer.exe 18->21 injected process10 dnsIp11 38 autoforsells.com 15.197.142.173, 49815, 80 TANDEMUS United States 21->38 40 www.hxwjy.com 172.241.78.46, 49809, 80 LEASEWEB-USA-SFO-12US United States 21->40 42 15 other IPs or domains 21->42 60 System process connects to network (likely due to code injection or exploit) 21->60 62 Performs DNS queries to domains with low reputation 21->62 25 mstsc.exe 21->25         started        signatures12 process13 signatures14 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66 68 Tries to detect virtualization through RDTSC time measurements 25->68 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16956685e8f153db05d1eda237f9fde5ae23cecc8de57f891be024af9af05626/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 17:54:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2kwnbpi6fj5wbor5wrdp6p54wxchtwmrxsx7ci34ask7gxqkyta._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c
Formbook
94517fa5a38b384136a3027f7588daa605494dd888e4658cb89d521f5fb2d55a
Formbook
aa067750ad705a1b6176cb6f3f91466c9d5c2ee4457c2466b995bef70c04b240
Formbook
b7cf8d9d8db4c5eaf796d35251bfc2b24f34c2c77d2ca82a1ebf470323c0894f
Formbook
c770def66ece0d6100ca50a3b54898be0c177e7d0baddd8803785571f83c1c1a
Formbook
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
Formbook
ef15eca83cb6c33e63b81fc047ebf055ea8d6855118fc616ec051ec0222307ac
Formbook
+ 13'322 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p86f loader rat
Link:
https://tria.ge/reports/220215-zr6ggsabd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
9a2c3dc5f64965d1ede8e3aaae5a8a68d1e1dd578f1e4ddff0aaa7aec8d514b0
MD5 hash:
447b8a7f3b34e318401111ad7c832fc7
SHA1 hash:
d4da8c1684c03da8fbfe24ab975c53583f063034
Link:
https://www.unpac.me/results/3f215996-40df-49ca-961d-3807069d39d4/
SH256 hash:
ad9b920aac8b7bb26dea731f2e822e27a38fd14565db2cac3c439dba4eb4c2cb
MD5 hash:
8c2bf680706eab9c447b8c4cab0f5c28
SHA1 hash:
9732dfb5179a610f42f1637bc0af2222ef97d81e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3f215996-40df-49ca-961d-3807069d39d4/
Parent samples :
10ff5c8bac827b012bc5b6f789e7c23913b662453cd0bcc7f3f5192260d7a950
4d905d988ba707e76ad18d72f16b931c1868e3ad4be521bf6142d6b9acf5b28f
e0b985ed9547d4799d352c98ed428c0ba78e3abfec8897ec406ea07f306cb982
bfb63f78c88894c097832d1073716db0d322456da3a2bccc15e57eac15fa903d
ef15eca83cb6c33e63b81fc047ebf055ea8d6855118fc616ec051ec0222307ac
16956685e8f153db05d1eda237f9fde5ae23cecc8de57f891be024af9af05626
SH256 hash:
16956685e8f153db05d1eda237f9fde5ae23cecc8de57f891be024af9af05626
MD5 hash:
cb5fbc9ecfc211e857c8ce2f5ac1547c
SHA1 hash:
bf0733aeadf7b2ce28093212dbdfb32220183f5a
Link:
https://www.unpac.me/results/3f215996-40df-49ca-961d-3807069d39d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16956685e8f153db05d1eda237f9fde5ae23cecc8de57f891be024af9af05626

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 16956685e8f153db05d1eda237f9fde5ae23cecc8de57f891be024af9af05626

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2044586/
Cape
Cape
https://www.capesandbox.com/analysis/241745/

Comments


Avatar
zbet commented on 2022-02-15 20:57:56 UTC

url : hxxp://192.3.245.195/433/vbc.exe